5

We have multiple IIS instances spread across remote regional branches. Each IIS instance (v.7.5) is running the same application and authenticates its users with Integrated Authentication (NTLM in the providers list).

A few branches get frequently disconnected from HQ, so that the Domain Controller cannot be reached. When the link to headquarters is down, we observe that some users can still authenticate to the IIS server whereas some others cannot.

The MSFT documentation that we could find on both NTLM and Kerberos authentication does not include information on how these mechanisms (and/or IIS itslef) deal with the situation of temporarily disconnected domain controller. Information is easily available for workstations: a policy setting defines how many logins shall remain cached locally, allowing interactive logons with an offline DC. But what happens for IIS?

  • Can authentication occur when the DC is unavailable?
  • If yes, what are the requirements?
  • Is there some sort of caching involved? (typically: can a domain-member workstation reboot and still access an NTLM-authenticating IIS application if the DC is down?)

Any help or pointers to documentation about this topic would be much appreciated,

kind regards, sb

Starbuck3000
  • 101
  • 1
  • 4

1 Answers1

1

Windows caches authentication credentials for limited periods. It is likely your web servers have had users authenticate when they have had a connection to a DC. These users will be able to use the site during interruptions in communication, but new users who have not recently used the site will be prevented.

If the connections are not reliable, you may be best served by activating the domain controller role at the branches to have full AD replication.

Pekka
  • 530
  • 5
  • 15
  • Thanks Pekka for your answer, Probable caching of credentials gives sense, but I am worried about why this isn't clearly documented. The link you referred to contains information on local credentials storage and interactive logons. Can this be extended to an IIS server in regards to its client connections...? AD replication is in our "possible measures" but I am trying to find somehow official documentation that would confirm this is a requirement and not just the result of a misconfiguration on the IIS server. (sorry I can't vote your answer up...not enough credits yet). – Starbuck3000 Nov 19 '13 at 16:27
  • You can confirm this by introducing something other than domain NTLM authentication in the IIS application. Create some local accounts and use these to authenticate the sessions and verify that they continue to work regardless of the network connection status. You can verify the connection status by inspecting the IIS logs to see what accounts are being presented in the queries, and the Security logs for interesting events. – Pekka Nov 19 '13 at 21:55